Google Will Begin Testing End-to-End Encryption for Messages
Messenger flaw could have allowed eavesdropping, popular Android app exposes millions of users videos and photos, UK launches offensive cyber force, FireEye buys Respond Software after raising $400M
Google announced that it had completed a global rollout of Rich Communications Service (RCS), while Messages will start testing end-to-end encryption. RCS is a communications protocol that allows for a richer text-based system. One of the biggest concerns about RCS is the protection of the messages, and to that end, Google will start protecting Messages with end-to-end encryption. During the tests, both sides must be using the latest beta version of Messages and have Chat features over data or Wi-Fi enabled. (Abner Li / 9 to 5 Google)
Related: Neowin, TechCrunch, HotHardware.com, Tech Xplore, Android Police, Android Central, Digital Transactions, Trusted Reviews, Techradar, The Verge, Slashdot, Tech Xplore, SecurityWeek, HackRead, Neowin, Cyberscoop, Dark Reading: Vulnerabilities / Threats, Security Affairs
FireEye Buys Respond Software After Receiving $400 Million From Blackstone, ClearSky
Cybersecurity giant FireEye bought security incident investigation company Respond Software. It announced a $400 million investment from Blackstone Tactical Opportunities fund and ClearSky (an investor in Respond), giving the company even more cash to buy other companies. Respond says its role is to fill the gap between attackers and first responders, the security analysts, and engineers that defend the enterprise. (Ron Miller / TechCrunch)
A flaw in Facebook Messenger Could Have Allowed Attackers to Eavesdrop on Users
Google’s Project Zero bug-hunting team discovered a bug in Facebook Messenger that could have allowed an attacker to call users and start listening to them before they picked up. The team was rewarded $60,000 for its discovery. The bug affected Facebook Messenger for Android, and Facebook rectified it by adjusting its own server-side infrastructure, which instantly fixed the flaw. (Lily Hay Newman / Wired)
Technique Developed That Can Turn Smart Vacuum Cleaners Itno Microphones Capable of Picking Up Conversations
A team of academics from the National University of Singapore and the University of Maryland developed a novel technique called LidarPhone that converted a smart vacuum cleaner into a microphone capable of recording nearby conversations. The technique works by taking the vacuum's built-in LiDAR laser-based navigational component and converting it into a laser microphone. (Catalin Cimpanu / ZDNet)
Phishing Attacks Soared in the UK in the Six Months Following the COVID-19 Crisis
Her Majesty's Revenue and Custom (HMRC) service in the UK detected a 73% rise in email phishing attacks in the six months that the COVID-19 pandemic struck the country, according to data obtained by a freedom of information request filed by Lamop Outsourcing. An average of 45,046 email attacks per month was detected from March to September 2020, compared to an average of 26,100 in the two months preceding the introduction of COVID-19 lockdown measures in January and February. (James Coker / Infosecurity Magazine)
Mozilla Opens Up its Controversial DoH Protocol for Public Comment
Mozilla has opened up for public comment and consultation the ways it could enable support for the controversial privacy-centric DNS-over-HTTPS (DoH) protocol inside Firefox, following criticism it faced in the UK for its plans to support DoH inside Firefox. Law enforcement and some ISPs criticized Mozilla for the feature because it helps users bypass firewalls and parental control features. (Catalin Cimpanu / ZDNet)
Majority of British Information Security Professionals Worry About Accidentally Violating Country’s Computer Misuse Act of 1990
Around 80% of British information security professionals worry about accidentally breaking the UK's antiquated Computer Misuse Act of 1990, according to a campaign group called Cyberup, which includes NCC Group, Orpheus Cyber, Context Information Security, Nettitude, F Secure, and others. One criticism of the Act is that when probing adversaries’ infrastructure, researchers could end up breaking section 1 of the Act, which bans "unauthorized" acts on other people's computers, even when criminals operate those machines. (Gareth Corfield / The Register)
Popular Android App Go SMS Pro Exposes Millions of Users’ Photos and Videos
An Android instant messaging application with over 100 million installations, Go SMS Pro, has exposed millions of photos and videos, according to cybersecurity firm Trustwave. The private media files sent by users to contacts who don't have the app installed on their devices can be accessed from the app's servers using a shortened URL that redirects to a content delivery network used by Go SMS Pro, making it easy for anyone to go through the private files of the app’s users, even if they don’t know about the shortened URLs. Trustwave has repeatedly reached out to the app’s developers but has received no response. (Sergiu Gatlan / Bleeping Computer)
The UK Officially Launches Offensive Hacking Unit National Cyber Force
Britain has unveiled its National Cyber Force (NCF), a unit of offensive hackers controlled by the spy agency GCHQ that can target hostile states such as China and Russia, terror groups, and even pedophiles by disrupting their online communications. NCF has secretly been running since April with several hundred hackers based in Cheltenham and other military sites around the country. (Dan Sabbagh / The Guardian)
Other Infosec Developments
Microsoft has added to Microsoft Defender for Office 365 high-priority protection for accounts of high-profile employees such as executive-level managers who are most often targeted by threat actors. The feature protects against business email compromise and credential phishing, as well as automated remediation of detected attacks. (Sergiu Gatlan / Bleeping Computer)
A new report from Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI), and Trend Micro warns that criminals are using AI for malicious use, and not only deepfakes. The report concludes that “new screening technology will be needed in the future to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets.” (Europol)
Related: Infosecurity Magazine
Drupal has released security updates to fix a critical remote code execution vulnerability (CVE-2020-1367) related to failure to sanitize uploaded files' names properly. (Eduard Kovacs / Security Week)
Former UK Chancellor of the Exchequer under Prime Minister David Cameron has been slammed by a parliamentary committee for wasting up to £50 million (or around $66 million) of public money on plush central London offices for the National Cyber Security Centre (NCSC), an arm of the GCHQ intelligence agency. The intelligence and security committee (ISC) said the decision to acquire workspace at Nova South in Victoria, central London, was unacceptable and had “an emphasis on image rather than cost.”
Krebs Is Alright
The urgent topic all week has been Donald Trump’s firing of CISA’s Christopher Krebs. As predicted, Krebs has not only landed on his feet, he is also now the Treasurer of the Dead Poet’s Society (lol) while he contemplates what no doubt will be a successful future.
Krebs also continued to receive plaudits, including one from Stephen Colbert.
Finally, Washington Post columnist David Ignatius wrote an op-ed saying that the “United States needs more profiles in courage” like Krebs’ stand against Trump’s promulgation of scurrilous conspiracy theories.
If Trump thought his firing would cause Krebs to back down, yesterday put the lie to that idea. Following an insane press conference during which Trump’s attorneys spouted all kinds of voting-related conspiracy theories, Krebs tweeted that the event was the most dangerous one hour and 45 minutes he had seen on television in American history.